search

fastmail / mail-dkim

Mail::DKIM Perl module, forked from svn://svn.code.sf.net/p/dkimproxy/code/Mail-DKIM/trunk
8 stars 6 forks source link

mail::dkim reports valid even if h= tag missing message-id signed #35

Open xpunkt opened 1 week ago

xpunkt commented 1 week ago

its simply a missing rfc compliance for minimal signed headers, hope this will be tested in dkim so all the paypal phish from onmicrosft can be rejected :)

mnalis commented 1 week ago

Can you clarify what you mean by "minimal signed headers"?

STD 76 AKA RFC 6736 - DomainKeys Identified Mail (DKIM) Signatures in section "5.4.1. Recommended Signature Content" says (among other things):

There are trade-offs in the decision of what constitutes the "core" of the message, which for some fields is a subjective concept. Including fields such as "Message-ID", for example, is useful if one considers a mechanism for being able to distinguish separate instances of the same message to be core content

But does not seem to indicate that signing Message-ID is required; to the contrary?

marcbradshaw commented 4 days ago

Section 3.5 states that...

h= Signed header fields (plain-text, but see description; REQUIRED). A colon-separated list of header field names that identify the header fields presented to the signing algorithm. The field MUST contain the complete list of header fields in the order presented to the signing algorithm. The field MAY contain names of header fields that do not exist when signed; nonexistent header fields do not contribute to the signature computation (that is, they are treated as the null input, including the header field name, the separating colon, the header field value, and any CRLF terminator). The field MAY contain multiple instances of a header field name, meaning multiple occurrences of the corresponding header field are included in the header hash. The field MUST NOT include the DKIM-Signature header field that is being created or verified but may include others. Folding whitespace (FWS) MAY be included on either side of the colon separator. Header field names MUST be compared against actual header field names in a case-insensitive manner. This list MUST NOT be empty. See Section 5.4 for a discussion of choosing header fields to sign and Section 5.4.2 for requirements when signing multiple instances of a single field.

It does not state that any particular header must be included in the minimal set, that is a choice by the sender. While there could be an argument for requiring that given headers be DKIM signed that would be a local policy, and not something that is a part of Mail::DKIM